Supply Chain Risk Management

New Cyber Threats are Changing our Risk Assessments

Cybersecurity in the DoD Supply Chain

The cybersecurity of the supply chain has become a worrisome issue for the Defense Department. Cyber-attacks continue to reach epidemic proportions. These attacks are not just against government-owned systems, but against defense contractors and their suppliers. What is worse, the Pentagon has very little control over non-U.S. ownership of hundreds of corporations that may not be prime contractors or weapons manufacturers, but still provide somewhat sensitive products and service to the military.

Sophisticated vs. Conventional Attacks

There is also uneasiness about more sophisticated types of espionage, such as the acquisition of American firms that do business with the military. This is all in addition to fears of conventional attacks against Pentagon suppliers that have access to secret and unclassified but controlled technical information (UCTI).

The worry is that adversaries could penetrate networks that hold information about the movement of U.S. Troops and equipment. This has resulted in the command taking preemptive measures such as requiring contractors to certify the security of their networks and to report intrusions. The impact of DFARS flows all the way down from the government agencies that issue contracts, down through their Prime Contractors to all sub-contractors, and their sub-contractors, or in other words, “All the way down the supply chain.”

Defense Federal Acquisition Regulation Supplement (DFARS)

The Defense Federal Acquisition Regulation Supplement (DFARS) is a wide-reaching list of regulations that includes IT specific security requirements and is fast becoming a mandatory requirement in many DoD contracts.

Cybersecurity in the Commercial Supply Chain

A noticeable trend is picking up traction in the commercial sector. While some larger businesses have long understood the traditional risks in the supply chains and have worked to address those, some are now, finally, asking their suppliers to complete comprehensive questionnaires that are aimed at assessing just how secure their sub-contractors and supplier’s IT infrastructure is.

Considering today’s cyber-attacks can deliver sophisticated, weaponized attachments and CryptoLocker and Ransomware attacks, the stakes are very high. A crippled supplier can be shut down for days, or worse, could serve as a stealthy backdoor for an attacker that could then steal purchase order information, alter technical specifications or launch a sideways attack on other vendors up and down the supply chain. Poisoning the supply chain this way can cause as much disruption as a natural event and be much harder to track down and deal with.

Compromising Firmware

If attackers are able to access and modify the binary code of systems provided by a vendor, an attacker may choose to modify the code to add back-doors, which can then be pushed out via existing auto update mechanisms. Customers will receive this malicious code when the update is pushed out to their systems.

The challenges to compromising firmware would be similar to compromising source code, with an additional problem to consider: technical information would be necessary to actually create firmware that would actually run on target devices. This would have to be acquired within the organization itself, or by analysis of existing publicly available hardware.

Compromising Websites & Internal Portals

Attackers can also attempt to compromise websites and internal portals used by a vendor to communicate with their customers. This can be used in a watering hole attack against the vendor’s customers.

For this attack to be successful, the attacker must be able to gather some information about the normal browsing patterns of both the vendor and the customer. In addition, to actually compromise any web servers, credentials for webmasters or server administrators need to be obtained as well. This poses some burdens on an attacker to be familiar with the vendor’s network, but not as difficult as the two preceding scenarios.

Spear Phishing from Trusted Vendor Email Accounts

An attacker that controls vendor systems and credentials can easily send emails to clients that appear to be legitimate. High-level personnel can be easily victimized in this manner.

Direct Network Access from Trusted Vendors

A vendor’s access to their client’s network can also be abused. For example, if a vendor has access to a client network via VPN, an attack at the vendor could compromise the credentials needed to access the VPN. Similarly, secure tunnels could be accessed via compromised credentials.

An attacker would enter the IT supply chain as he would any other organization. Email is still a favored infection vector, with both malicious attachments and links to sites used to lure in users. These messages are made to appear to come from other organizations (which are preferably relevant to the target).